Chng

Cc phin bn SNMP
SNMPv1 : cu trc bn tin, cu trc MIB SNMPv2c : phng thc GetBulk v Notification, cu trc bn tin, cu trc MIB SNMPv3 : gii thut authentication, privacy, trnh t khai bo snmpv3.

SNMP ton tp

Chng 4 : Cc phin bn SNMP

1. Cc phin bn SNMP
Cc phin bn SNMP khc nhau nhng g ? + Khc nhau phng thc hot ng (operation) : SNMPv1 c 5 phng thc, tuy nhin cc version khc sau ny c b sung thm mt s phng thc mi. + Khc nhau cu trc bn tin SNMP (message format) : cc phin bn khc nhau s khc nhau cu trc cc bn tin. C nhng phin bn SNMP no ? + SNMPv1 : phin bn u tin ca SNMP, c 5 phng thc Get, GetNext, Set, Response, Trap. + SNMPv2c : SNMP version 2 chia thnh 2 phin bn khc nhau c ch bo mt, trong phin bn vn s dng c ch bo mt da vo community string nh SNMPv1 gi l Community-based SNMPv2 hay SNMPv2c. Mt s ti liu ghi ch khng ng rng SNMPv2c b sung thm c ch community string so vi SNMPv1, thc s SNMPv2c v SNMPv1 u c c ch xc thc n gin bng community ging nhau. + SNMPv2u : y l phin bn SNMPv2 s dng c ch bo mt c chng thc bng bm1 v m ha i xng2 d liu, gi l User-based SNMPv2 hay SNMPv2u. Sau ny phin bn SNMPv3 ra i thay th hon ton SNMPv2u v ngi ta khng cn u tin dng SNMPv2u na. Do SNMPv2u s khng c trnh by trong ti liu ny m SNMPv3 s c trnh by chi tit. Trong thc t rt kh tm thy mt thit b cn h tr SNMPv2u. + SNMPv3 : phin bn bo mt nht ca SNMP s dng m hnh bo mt da trn ngi dng (Userbased security model) vi cc c ch chng thc bng bm (MD5, SHA) v m ha (DES, AES) hin i. Vic lp trnh ng dng h tr c SNMPv3 phc tp hn, do hu ht cc phn mm SNMP manager phin bn c h tr SNMPv3 u c tnh ph, trong khi phin bn min ph ch h tr SNMPv1 v SNMPv2. Ti sao cn phi bit s khc nhau cc phin bn ? Nu cng vic ca bn ch l ng dng c mt phn mm SNMP qun l cc thit b trong cng ty th bn ch cn bit 2 vic : thit b no ca bn h tr cc version SNMP no; v phn mm SNMP manager m bn s hu c h tr version SNMP tng ng hay khng. Nu vy th bn c th dng c quyn ti liu ny y v cc phn sau ny l khng thch hp. Hu ht cc ti liu v SNMP u khng trnh by k cc phin bn khc nhau v hu ht ngi c khng cn n chng. Nu bn l chuyn vin bc cao cn c k nng gii quyt mc debug cc vn lin quan n tng thch version ca SNMP, chng hn mt phn mm no khng th qun l mt thit b ca bn, th bn cn tm hiu s khc nhau gia cc version. V nu bn l ngi lp trnh ng dng SNMP th vic hiu r cc version khc nhau l yu cu bt buc, phn mm ca bn cn c kh nng tng thch cc thit b h tr version khc nhau. Cc ti liu lin quan n cc phin bn SNMP Vic tm hiu cc phin bn SNMP tn nhiu thi gian v c nhiu c t RFC lin quan n chng. Trong khun kh quyn ti liu ny tc gi khng th trnh by ht cc vn ngoi cc c im chnh. Bng sau lit k cc RFC ch yu ca cc phin bn SNMP : Nm cng b 1990

RFC RFC1155 - Structure and Identification of Management Information for TCP/IP-based Internets RFC1156 - Management Information Base for Network Management of TCP/IP-based internets

Ni dung Cu trc mib ca cc thit b chy trn nn TCP/IP (SMIv1) Mib chun ca internet version 1 (Internet-standard mib), cn gi l mib-1

Thay th RFC1065

1990

RFC1066

Bm (hash) l phng php m ha mt vn bn ngun (message) thnh mt chui (digest) ngn hn nhiu ln v khng th gii ngc t digest thnh message, hash cn c gi l m ha 1 chiu. Cc phng php hash ph bin hin nay l MD5 v SHA. 2 M ha i xng (symmetric encryption) l phng php m ha dng cng 1 kha m ha v gii m, khc vi m ha bt i xng l dng kha m ha v kha gii m khc nhau.

DIP THANH NGUYN, 2010

Trang|

SNMP ton tp

Chng 4 : Cc phin bn SNMP

RFC1157 - A Simple Network Management Protocol (SNMP) RFC1213 - Management Information Base for Network Management of TCP/IP-based internets: MIB-II RFC2790 - Host Resources MIB RFC1901 - Introduction to Community-based SNMPv2 RFC2578 - Structure of Management Information Version 2 (SMIv2) RFC2579 - Textual Conventions for SMIv2 RFC3416 - Version 2 of the Protocol Operations for the Simple Network Management Protocol RFC3418 - Management Information Base for the Simple Network Management Protocol RFC1910 - User-based Security Model for SNMPv2 RFC3412 - Message Processing and Dispatching for the Simple Network Management Protocol RFC3414 - User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)

1990 1991 2000 1996 1999 1999 2002 2002 1996 2002 2002

c t giao thc SNMPv1 Mib chun ca internet phin bn 2, cn gi l mib-2 Cu trc MIB ca thit b dng host (server) Ti liu ngn gn u tin gii thiu SNMPv2 Cu trc mib ca cc thit b chy trn nn TCP/IP, phin bn 2 (SMIv2) nh ngha cc kiu d liu dng text ca SMIv2 c t cc phng thc hot ng ca SNMPv2 Cu trc MIB ca SNMPv2 c t m hnh bo mt ca phin bn SNMPv2u M t cu trc bn tin SNMPv3 M hnh bo mt ca phin bn SNMPv3

RFC1098 RFC1158 RFC1514

RFC1902 RFC1903 RFC1905 RFC1907

RFC2572 RFC2574

Ct Thay th l cc RFC c ca cng ni dung trc , ngi c cn ch cp nht RFC mi nht. C mt s ti liu SNMP c bin son trc khi cc RFC mi ra i nn n dn gii cc RFC li thi (obsolete). Chng hn v SNMPv2 trc y c cc RFC t 1901 n 1908, tuy nhin hin ti cc RFC1902, 1903, 1904, 1905, 1906, 1907 c thay th bng cc RFC2578, 2579, 2580, 3416, 3417, 3418. Cc RFC c th c tm ti 2 ngun sau : http://tools.ietf.org/html/ hoc http://www.faqs.org/rfcs/. tra cu mt RFC no c b thay th bi mt RFC khc mi hn hay khng, bn hy tm ti http://www.faqs.org/rfcs/rfc-obsolete.html. Ti thi im bn c quyn ti liu ny, c th mt s RFC c trch dn y tr nn li thi.

2. SNMPv1
Chng 1 trnh by cc vn lin quan n SNMPv1 gm : 5 phng thc hot ng, cu trc bn tin; chng ny s trnh by ngn gn li v thm phn cu trc cc PDU 3. Cc phng thc ca SNMPv1 + GetRequest : ly thng tin ca object c OID trong bn tin. + GetNextRequest : ly thng tin ca object nm k tip object c OID trong bn tin. + SetRequest : thit lp gi tr cho object c OID trong bn tin. + GetResponse : tr v thng tin kt qu sau khi Get hoc Set. + Trap : thng bo c s kin xy ra ti agent. Agent lng nghe request cng UDP 161 cn manager nhn trap cng UDP 162.

Cu trc ca bn tin v ca cc PDU SNMPv1 c m t y trong RFC1157

DIP THANH NGUYN, 2010

Trang|

SNMP ton tp

Chng 4 : Cc phin bn SNMP

Cu trc ca PDU GetRequest + request-id : m s ca request. ID ny l s ngu nhin request-id do manager to ra, agent khi gi bn tin GetResponse cho request no th n phi gi requestID ging nh lc nhn. Gia error-status manager v agent c th c nhiu request & reponse, mt request v mt response l cng mt phin trao i khi chng error-index c requestID ging nhau. + error-status : nu = 0 l thc hin thnh cng khng c variable-bindings li, nu <> 0 l c li xy ra v gi tr ca n m t m li. objectID 1 Value 1 Trong bn tin GetRequest, GetNextRequest, SetRequest th error-status lun = 0. + error-index : s th t ca objectid lin quan n li nu c. Trong variable-bindings c nhiu objectid, c nh s t objectID n Value n 1 n n, mt bn tin GetRequest c th ly cng lc nhiu object. Cu trc Get/GetNext/Set/Response PDU + variable-bindings : danh sch cc cp [ObjectID Value] cn ly thng tin, trong objectId l nh danh ca object cn ly, cn value khng mang gi tr. Khi agent gi bn tin tr li th n s copy li bn tin ny v in vo value bng gi tr ca object. Dng mt phn mm bt gi tin nh Wireshark4 bn s thy cu trc ca mt bn tin GetRequest.

Trong hnh trn l cu trc mt bn tin SNMP vi PDU l GetRequest. Bao gm cc thng tin : + version l v1, s 0 trong ngoc l gi tr ca trng version, nu gi tr ny l 0 ngha l version1. + community l public. + request-id = 2142061952. + error-status = 0, ngha l khng c li. Trong bn tin GetResponse th error-status mi c dng. + error-index = 0. + phn variable-bindings bao gm 1 item, mi item l 1 cp objectid-value. + objectid l .1.3.6.1.2.1.1.3.0, theo mib-2 th l sysUpTime.0 + Scalar instance index = 0, y l ch s index ca sysUptime. Do mt thit b ch c mt khi nim sysUptime nn index l 0 (sysUptime.0). Nu bn request ifDescr chng hn th mi interface s c mt description khc nhau v s c index khc nhau. + value = unSpecified. Do bn tin l GetRequest nn value s khng mang gi tr, gi tr s c ghi vo v tr v trong bn tin GetResponse.

Wireshark l cng c phn tch gi tin min ph, download ti http://wireshark.org

DIP THANH NGUYN, 2010

Trang|

SNMP ton tp

Chng 4 : Cc phin bn SNMP

Cu trc ca PDU GetResponse + request-id : m s ca request. ID ny phi ging vi request-id ca bn tin GetRequest trc . + error-status : mang mt trong cc gi tr noError(0), tooBig(1), noSuchName(2), badValue(3), readOnly(4), genErr(5). Nu agent ly thng tin tr li request thnh cng th error-status l noError(0). + objectid : nh danh ca object c tr v. Nu trc l GetRequest th objectid s ging vi objectid trong bn tin request, nu trc l GetNextRequest th objectid s l nh danh ca object nm sau (nm sau trong mib) objectid ca request. Hnh sau l bn tin tr li cho GetRequest sysUpTime trn, vi gi tr tr v l 109852988 (centi giy)

Cu trc ca PDU GetNextRequest Cu trc GetNextRequest ging vi GetRequest, ch khc byte ch ra bn tin l GetNextRequest PDU. Hnh sau l bn tin GetNextRequest vi objectid l sysContact, sau agent s gi bn tin GetReponse tr li vi objectid l sysName, v sysName nm sau sysContact trong mib. Ch request-id l ging nhau.

DIP THANH NGUYN, 2010

Trang|

SNMP ton tp

Chng 4 : Cc phin bn SNMP

Cu trc ca PDU SetRequest Cu trc SetRequest cng ging vi GetRequest, objectid-value ch ra i tng v gi tr cn set. Hnh sau l bn tin SetRequest t li tn ca thit b l Cisco2950, tip theo agent s gi bn tin GetResponse thng bo gi tr ca sysName sau khi set.

Cu trc ca PDU Trap Cu trc ca bn tin trap ca SNMPv1 nh sau : enterprise + enterprise : kiu ca object gi trap. y l mt OID gip nhn dng thit b gi trap l thit b g; nhn dng chi tit n agent-addr hng sn xut, chng loi, model. OID ny bao gm mt ch s doanh nghip (enterprise number) v ch s id ca thit b ca generic-trap hng do hng t nh ngha. specific-trap + agent address : a ch IP ca ngun sinh ra trap. C th bn s thc mc ti sao li c IP ca ngun sinh ra trap trong time-stamp khi bn tin IP cha gi SNMP c a ch ngun. Gi s m hnh gim st ca bn nh sau : tt c trap sender c cu variable-bindings hnh gi trap n mt trap receiver trung gian, gi l trap objectID 1 Value 1 relay, sau trap relay mi gi n nhiu trap receiver cng lc; th lc ny bn tin trap nhn c ti trap receiver s c IP source l ca trap relay, trong khi IP ca ngun pht sinh trap thc s nm trong agent address. objectID n Value n + generic-trap : kiu ca cc loi trap generic. + specific-trap : kiu ca cc loi trap do ngi dng t nh Cu trc Trap PDU ngha. + time-stamp : thi gian tnh t lc thit b c khi ng n lc gi bn tin trap, tnh bng centi giy. + variable-bindings : cc cp objectID value m t cc object c lin quan n trap.

DIP THANH NGUYN, 2010

Trang|

SNMP ton tp

Chng 4 : Cc phin bn SNMP

Hnh sau l bn tin trap thng bo interface FastEthernet0/21 UP.

+ enterprise = .1.3.6.1.4.1.9.1.324, y l nh danh ca thit b Cisco switch Catalyst 2950 (.9.1.324) + agent-addr = 192.168.47.253 + generic-trap = 3, cho bit y l bn tin trap kiu generic, gi tr 3 ngha l linkUp. + specific-trap = 0, do y l trap kiu generic nn khng s dng n specific. + time-stamp = 173729742. + variable-bindings gm 4 item, ch ra 4 cp objectid-value, gm : ifIndex=21, ifDescr=FastEthernet0/21, ifType=6, v mt object ring ca Cisco c value = 7570 (2 k t hexa 0x75 0x70 l ch up).

3. SNMPv2c
Khc bit ca SNMPv2c so vi SNMPv1 l : + C nhiu phng thc hn so vi SNMPv1. + Cu trc bn tin Trap PDU khc so vi SNMPv1. + C thm bn tin Bulk PDU vi cu trc ring. Cc phng thc ca SNMPv2c SNMPv2c c 8 phng thc gm : GetRequest, GetNextRequest, Response, SetRequest, GetBulkRequest, InformRequest, Trap v Report. Nh vy so vi SNMPv1 th v2c c thm cc phng thc GetBulk, Inform v Report. + GetRequest : manager gi GetRequest cho agent ly thng tin. + GetNextRequest : manager gi GetNextRequest cho agent ly thng tin ca object nm sau object c ch ra trong bn tin GetNext. + SetRequest : manager gi SetRequest cho agent thit lp gi tr cho mt object no . + GetBulkRequest : phng thc ny dng ly mt lot nhiu object ch trong 1 bn tin GetBulk. Cc bn tin Get/GetNext vn c th ly cng lc nhiu object bng cch a tt c chng vo danh sch variable-bindings trong bn tin request, nhng GetBulk c th ly nhiu object m ch cn ch ra 1 object trong variable-bindings. + Response : agent gi Response cho manager thng bo kt qu ca request m n nhn trc , Response l bn tin tr li cho cc Get/GetNext/GetBulk/Set/Inform request. + Trap : agent gi Trap cho manager thng bo v mt s kin ang xy ra ti agent. + InformRequest : c tc dng tng t nh trap, nhng khi manager nhn c InformRequest th n s gi li Response xc nhn nhn c thng bo, cn Trap th khng c c ch xc nhn. + Report : bn tin Report khng c nh ngha trong RFC3416, cc h thng c s dng Report phi t nh ngha chng, tuy nhin bn tin Report vn c cu trc ging nh cc bn tin khc. Agent lng nghe request cng UDP 161 cn manager nhn trap & inform cng UDP 162.

DIP THANH NGUYN, 2010

Trang|

SNMP ton tp

Chng 4 : Cc phin bn SNMP

Hnh sau minh ha hot ng ca cc phng thc SNMPv2c :

Manager GetRequest Response GetNextRequest Response InformRequest SetRequest Response GetBulkRequest Response Response Agent Trap Trap Trap Manager

Hnh minh ha cc phng thc ca SNMPv2c

Cu trc bn tin SNMPv2c Cu trc chung ca bn tin SNMPv2c nh sau 5:

Ethernet frame

IP packet

UDP packet

SNMP packet

version = 1

community string

data (GetRequest PDU, GetNextRequest PDU, Response PDU, SetRequest PDU, GetBulkRequest PDU, InformRequest PDU, Trap PDU, Report PDU)

+ version : phin bn SNMP (v1 = 0, v2c = 1, v2u = 2, v3 = 3). + community string : chui community. + data : phn data l cc bn tin ng vi cc phng thc ca SNMP. Trong SNMPv2c, bn tin PDU c 2 loi cu trc l PDU v BulkPDU. Cc bn tin GetRequest, GetNextRequest, SetRequest, Response, Trap, InformRequest v Report c cng cu trc l PDU; cn GetBulkRequest c cu trc l BulkPDU 6. Cu trc PDU Cu trc PDU ca SNMPv2c khng thay i g so vi PDU ca SNMPv1, gm cc trng : + request-id : m s ca request. ID ny l s ngu nhin do manager to ra, agent khi gi bn tin Response cho request no th n phi gi requestID ging nh lc nhn. Gia manager v agent c th c nhiu request & reponse, mt request v mt response l cng mt phin trao i khi chng c requestID ging nhau. + error-status : nu = 0 l thc hin thnh cng khng c li, nu <> 0 l c li xy ra v gi tr ca n m t m li. Trong cc bn tin request th error-status lun = 0. + error-index : s th t ca objectid lin quan n li nu c. Trong variable-bindings c nhiu objectid, c nh s t 1 n n.

5 6

Cu trc ca bn tin SNMPv2 c m t trong RFC1901, trang 5 Cu trc ca cc PDU SNMPv2c c m t trong RFC3416

DIP THANH NGUYN, 2010

Trang|

SNMP ton tp

Chng 4 : Cc phin bn SNMP

+ variable-bindings : danh sch cc cp [ObjectID Value] cn ly thng tin, trong objectId l nh danh ca object cn ly, cn value l gi tr ca object . Khi agent gi bn tin request th value l khng xc nh, khi gi tr li th n s in vo value bng gi tr ca object. request-id error-status error-index variable-bindings objectID 1 objectID n value 1 value n

Cu trc Get/GetNext/Set/Response/Trap/Inform PDU

Cu trc Bulk PDU GetBulkRequest c th ly v nhiu object m ch cn ch ra mt vi object trong bn tin gi i. Nguyn l ca n l khai bo s lng object tnh t object c ch ra trong request m agent phi ln lt tr v thng tin, kiu nh hy ly cho ti 20 object tnh t object c id l .... Mt bn tin GetBulk bao gm cc trng : + request-id : tng t nh cu trc ca PDU. request-id non-repeaters max-repetitions variable-bindings

+ non-repeaters : s lng item u tin trong variableobjectID 1 value 1 bindings ca GetBulk m agent phi tr li bng item nm k tip trong mib, mi item trong request th s c mt item trong response. objectID n value n + max-repetitions : cc item cn li trong variable-bindings s c agent tr li bng max-repetitions item nm k tip chng trong mib, mi item cn li trong request ny s c Cu trc GetBulk PDU max-repetitions item tng ng trong response. V d 1 : gi bn tin GetBulkRequest ly tn ca thit b, m t & tnh trng hot ng ca 3 interface u tin, dng iReasoning Mib Browser. + Trn iReasoning Mib Browser, vo menu Tools/Options; t Non Repeaters = 1, Max Repetitions = 3.

DIP THANH NGUYN, 2010

Trang|

SNMP ton tp

Chng 4 : Cc phin bn SNMP

+ Trn cy Mib, nhn nt Ctrl v chn cng lc cc object sysContact, ifDescr, ifOperStatus; chn Operations = GetBulk v nhn nt Go.

+ Phn mm s gi bn tin c non-repeaters = 1, max-repetitions = 3, variable-bindings c 3 item l sysContact, ifDescr, ifOperStatus nh hnh sau :

+ Agent s tr li bng bn tin Response c danh sch variable-bindings gm 1 item sysName.0 v 3 cp ifDescr + ifOperStatus.

DIP THANH NGUYN, 2010

Trang|

10

SNMP ton tp

Chng 4 : Cc phin bn SNMP

+ Do bn tin request c non-repeaters = 1 nn agent s tr li (khng lp li) cho 1 item u tin trong GetBulkRequest l sysContact. V nm sau sysContact l sysName nn item response u tin l sysName.0. + Do bn tin request c max-repetitions = 3 nn agent s tr li lp li 3 ln cho cc item cn li trong GetBulkRequest l ifDescr v ifOperStatus. V vy cc item cn li trong response s ln lt l 3 cp ifDescr & ifOperStatus. SNMPv2 Trap PDU v InformRequest PDU Bn tin Trap v Inform c cng cu trc PDU nh cc bn tin khc. Trong SNMPv2, cc bn tin ny khi gi i th 2 item u tin trong variable-bindings phi l sysUpTime.0 v snmpTrapOID.0, sau mi n cc item lin quan n s kin. Trong khi SNMPv1 Trap ch cha cc item lin quan n s kin. Hnh sau minh ha mt trap SNMPv2

c sysUpTime.0 th trap receiver bit c ti thi im m agent pht ra trap th agent hot ng c bao lu. c snmpTrapOID.0 th trap receiver c th bit c ngha ca bn tin trap l g. Trong hnh trn, snmpTrapOID.0 c gi tr .1.3.6.1.6.3.1.1.5.3, id ny l ca trap linkDown 7. Tt nhin phn mm nhn trap (Wireshark) phi hiu c TrapOID ny ngha l g th mi hin th c ch IF-MIB::linkDown, nu bn dng mt phn mm trap receiver khng hiu TrapOID ny l g th n ch hin th chui id m khng c ch thch linkDown. Chng hn item cui cng trong bn tin trn l mt trap ca ring Cisco nn phn mm khng th c ch thch g thm. Cc item khc cho bit thm thng tin v object ang b down nh index = 22, description = FastEthernet0/22.

4. SNMPv3
(in progress)

Tm tt
+ SNMP c cc phin bn v1, v2c, v2u, v3. + SNMPv1 c 5 phng thc GetRequest, GetNextRequest, SetRequest, GetResponse v Trap. + Bn tin SNMPv1 c 2 loi PDU v Trap-PDU. + SNMPv2 c 8 phng thc GetRequest, GetNextRequest, SetRequest, Response, GetBulkRequest, Trap, InformRequest v Report. + Bn tin SNMPv2 c 2 loi PDU v Bulk-PDU.

Trap linkDown c nh ngha trong RFC2863 The Interfaces Group MIB, trang 48.

DIP THANH NGUYN, 2010

Trang|

11